Analysis

  • max time kernel
    30s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    23-06-2021 23:44

General

  • Target

    docs,06.21.doc

  • Size

    50KB

  • MD5

    a75fa282ba05937f43c4425e548f1d5c

  • SHA1

    565ca43482c76d02eb4f5e55deb2af53dfa3b8db

  • SHA256

    266d88e6796be43f470e11e7da3fb0f63127dc747513d297c50d75148b353602

  • SHA512

    6343c053c5cca9f6e4b9e4b157c19aba9c47cc1722e4b8a158009cce7c7a8cb88dc3cbb95581888c76fd708c1d8c212dca1a5dc9a393594957fb7f6602c119f5

Malware Config

Extracted

Family

gozi_ifsb

Botnet

6000

C2

gtr.antoinfer.com

app.bighomegl.at

Attributes
  • build

    250204

  • exe_type

    loader

  • server_id

    580

rsa_pubkey.base64
serpent.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Loads dropped DLL 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\docs,06.21.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:792
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\\users\\public\\buttListboxSngl.hta
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1232
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\buttListboxSngl.hta"
        3⤵
        • Blocklisted process makes network request
        • Modifies Internet Explorer settings
        • Suspicious use of WriteProcessMemory
        PID:1300
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\System32\regsvr32.exe" c:\users\public\buttListboxSngl.jpg
          4⤵
          • Loads dropped DLL
          PID:1780
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1188

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Defense Evasion

    Modify Registry

    1
    T1112

    Discovery

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\users\public\buttListboxSngl.hta
      MD5

      aa68b2d92b79feae09dcb76d34ac9fb7

      SHA1

      8ead6aa56c4426d4fe5f7d415d927379a116c03d

      SHA256

      7a8ba83948952fb9fdc6237adf609e8e3f1caf2dbce6ca6e6b5ae4aca0d04a20

      SHA512

      a09cf9694aee32013a3ee6718d30168f6ee2fb407a7396fece6388009de9608391725d4e590f1f659fcfcd7830cb644310cae4463127772fa5d00ed8f7fbc793

    • \??\c:\users\public\buttListboxSngl.jpg
      MD5

      f898faedc2fd455398a9efdebf1ce335

      SHA1

      781b649cff1e06c3ce2a8c64eccbe47bd8f126fa

      SHA256

      cc43bb886726bc8101659ba26f0eeda8f540dc81eb8ef7e8366b2c04e5b3a495

      SHA512

      6d19028134ccc5e40cecc40009cd33cdedcc7a2c6d3feb33e089a6197176fb7022e38b8d04296ecfc89c7270f2b13ead8bb226196d59ea6abe63bb78583f28b4

    • \Users\Public\buttListboxSngl.jpg
      MD5

      f898faedc2fd455398a9efdebf1ce335

      SHA1

      781b649cff1e06c3ce2a8c64eccbe47bd8f126fa

      SHA256

      cc43bb886726bc8101659ba26f0eeda8f540dc81eb8ef7e8366b2c04e5b3a495

      SHA512

      6d19028134ccc5e40cecc40009cd33cdedcc7a2c6d3feb33e089a6197176fb7022e38b8d04296ecfc89c7270f2b13ead8bb226196d59ea6abe63bb78583f28b4

    • memory/792-61-0x000000006FAF1000-0x000000006FAF3000-memory.dmp
      Filesize

      8KB

    • memory/792-62-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

    • memory/792-75-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

    • memory/792-60-0x0000000072071000-0x0000000072074000-memory.dmp
      Filesize

      12KB

    • memory/1188-67-0x0000000000000000-mapping.dmp
    • memory/1188-68-0x000007FEFB561000-0x000007FEFB563000-memory.dmp
      Filesize

      8KB

    • memory/1232-64-0x0000000075041000-0x0000000075043000-memory.dmp
      Filesize

      8KB

    • memory/1232-63-0x0000000000000000-mapping.dmp
    • memory/1300-66-0x0000000000000000-mapping.dmp
    • memory/1780-69-0x0000000000000000-mapping.dmp
    • memory/1780-73-0x000000006A910000-0x000000006A91D000-memory.dmp
      Filesize

      52KB

    • memory/1780-74-0x000000006A910000-0x000000006AA40000-memory.dmp
      Filesize

      1.2MB

    • memory/1780-76-0x0000000000240000-0x0000000000241000-memory.dmp
      Filesize

      4KB